基于SPS的互联型IPSec VPN中策略服务器的设计与实现
|
摘要
互联网在当今社会中的应用日趋广泛,人们对网络安全也提出了更高的要求。企业、高校和政府机关等组织,作为互联网的重要参与者和使用者大量引入VPN 来作为其通信时的安全解决方案。而自从IETF 制定了IPSec 框架作为网络层的安全协议以后,IPSec也开始被人们引入到VPN的创建方案中来,从此,IPSec VPN 技术开始成为安全研究中的一个关键问题。
本文分析了现有的IPSec VPN 技术,通过分析其工作方式,提出其中存在的几个问题。它们包括:VPN 对于异种网络的兼容性问题以及系统对于安全策略的管理问题。前者的提出,是因为当前IPv6 正快速发展并已经步入实用化,网络层协议的过渡正在发生并预计将持续很长时间;而后者的提出,则是从系统管理的一致性和规范性的角度出发的。
本文讨论了将NAT 技术引入VPN 后,解决了IPv4/IPv6 不同网络的VPN 互通性问题,保证在网络过渡过程中,VPN 始终能够正常运行。
在论文的主体部分,集中讨论了安全策略系统的引入对于IPSec VPN 系统工作方式的影响。并详细阐述了安全策略系统的核心——安全策略服务器的创建技术和工作流程。提出了基于等级的系统管理方案,该方案将用户、策略和子网的管理融入到一个有机的整体之中,并且简化了管理的复杂度。在策略管理方案中,我们分析了由于策略的相关性而导致的策略管理混乱的情况。在现有技术的基础上,提出了策略相关性算法,并从理论和测试两个方面证实了算法的正确性和有效性。算法的加入,使得策略管理系统能应付复杂网络中的大量相互影响的安全策略,扩展了系统的适用范围。
As the development of Internet, more strict security solution of network is required. As the important participants and users of Internet, corporations, universities and governments choose VPN to be their security solution. Since IETF designed IPSec protocol, it has been used to construct VPN system. Then, IPSec VPN began to be a key problem of security research.
The IPSec VPN technology in exsit is analyzed first, then, some limitations are found, which are the compatibility of different network connected by VPN and problem of security policy management. The former is raised by the rapid development of IPv6 which lead to the transition of network protocol, while the later is based on the consistent and standardization of system management.
This paper discusses how to add NAT into VPN system, by which we solve the problem, which occurs when the communication is between IPv4 and IPv6 network.
In the main body of this paper, we discuss the influence to the work mode of IPSec VPN when the SPS is added into, and introduce the technology of security sever which is the kernel of SPS. By the precept based on class, we make the management of user, policy and subnetwork into a whole entity. After analyzing the chaos raised by relativity of policies, we develop the policy relativity algorithm, and prove it to be correct and effective by deducing and testing. As a result of adding the algorithm into SPS, the system gains the capability of deal with interrelated policies in more complicated network.
本文分析了现有的IPSec VPN 技术,通过分析其工作方式,提出其中存在的几个问题。它们包括:VPN 对于异种网络的兼容性问题以及系统对于安全策略的管理问题。前者的提出,是因为当前IPv6 正快速发展并已经步入实用化,网络层协议的过渡正在发生并预计将持续很长时间;而后者的提出,则是从系统管理的一致性和规范性的角度出发的。
本文讨论了将NAT 技术引入VPN 后,解决了IPv4/IPv6 不同网络的VPN 互通性问题,保证在网络过渡过程中,VPN 始终能够正常运行。
在论文的主体部分,集中讨论了安全策略系统的引入对于IPSec VPN 系统工作方式的影响。并详细阐述了安全策略系统的核心——安全策略服务器的创建技术和工作流程。提出了基于等级的系统管理方案,该方案将用户、策略和子网的管理融入到一个有机的整体之中,并且简化了管理的复杂度。在策略管理方案中,我们分析了由于策略的相关性而导致的策略管理混乱的情况。在现有技术的基础上,提出了策略相关性算法,并从理论和测试两个方面证实了算法的正确性和有效性。算法的加入,使得策略管理系统能应付复杂网络中的大量相互影响的安全策略,扩展了系统的适用范围。
As the development of Internet, more strict security solution of network is required. As the important participants and users of Internet, corporations, universities and governments choose VPN to be their security solution. Since IETF designed IPSec protocol, it has been used to construct VPN system. Then, IPSec VPN began to be a key problem of security research.
The IPSec VPN technology in exsit is analyzed first, then, some limitations are found, which are the compatibility of different network connected by VPN and problem of security policy management. The former is raised by the rapid development of IPv6 which lead to the transition of network protocol, while the later is based on the consistent and standardization of system management.
This paper discusses how to add NAT into VPN system, by which we solve the problem, which occurs when the communication is between IPv4 and IPv6 network.
In the main body of this paper, we discuss the influence to the work mode of IPSec VPN when the SPS is added into, and introduce the technology of security sever which is the kernel of SPS. By the precept based on class, we make the management of user, policy and subnetwork into a whole entity. After analyzing the chaos raised by relativity of policies, we develop the policy relativity algorithm, and prove it to be correct and effective by deducing and testing. As a result of adding the algorithm into SPS, the system gains the capability of deal with interrelated policies in more complicated network.
引文
[1] S. Kent, Security Architecture for the Internet Protocol,RFC2401, 1998.10
[2] Martin W.Murhammer. 虚拟私用网络技术, 清华大学出版社, 1999.
[3] 戴宗坤, 唐三平著. VPN 与网络安全. 金城出版社,2000,9.
[4] Douglas E.Comer 著, 林瑶, 蒋惠, 杜慰轩等译. 用TCP/IP 进行网际互连(第一卷).电子工业出版社, 2001.
[5] John Shapley Gray 著, 张宁等译. UNIX 进程间通信. 电子工业出版社, 2001.
[6] Nagannand oraswamy, DanHarkins 著, IPSec 新一代因特网安全标准,机械工业出版社2000.
[7] 吴世忠,祝世雄,张文政著. 密码学协议、算法与C 源程序,机械工业出版社, 2001.
[8] W.Richard Stevens 著, 尤晋元等译. UNIX 环境高级编程. 北京机械工业出版社,2000.
[9] 谢希仁著. 计算机网络(第二版). 电子工业出版社, 1999,4.
[10] W.Richard Stevens 著, 施振川,周利民,孙宏晖等译. UNIX 网络编程(第一卷). 清华大学出版社, 1999.
[11] P.Srisuresh, M.holdrege, IP Network Address Translator (NAT) Terminology and Considerations, RFC 2663, August 1999
[12] G. Tsirtsis, P. Srisuresh, RFC2766:Network Address Translation -Protocol Translation (NAT-PT), February 2000
[13] Carlton R.Davis 著, 周永彬,冯登国,徐震,李德全等译. IPSec VPN 的安全实施. 清华大学出版社, 2002,1.
[14] S. Kent, R. Atkinson, Authentication Header, RFC2402, 1998.10
[15] S. Kent, R. Atkinson, Encapsulation Security Protocol, RFC2406, 1998.10
[16] D. McDonald, C.Metz, B. Phan, PF_KEY Key Management API, Version 2, RFC2367, 1998.7
[17] L.A. Sanchez, M.N. Condell, Security Policy System, Internet Draft, November 1998
[18] M. Stevens, W. Weiss, H. Mahon, B. Moore, J. Strassner, G. Waters, A. Westerinen, J. Wheeler, Policy Framework, Internet Draft September 1999
[19] M. Blaze, A. Keromytis, M. Richardson, L. Sanchez, IPSP Requirements Internet Draft July,
[2] Martin W.Murhammer. 虚拟私用网络技术, 清华大学出版社, 1999.
[3] 戴宗坤, 唐三平著. VPN 与网络安全. 金城出版社,2000,9.
[4] Douglas E.Comer 著, 林瑶, 蒋惠, 杜慰轩等译. 用TCP/IP 进行网际互连(第一卷).电子工业出版社, 2001.
[5] John Shapley Gray 著, 张宁等译. UNIX 进程间通信. 电子工业出版社, 2001.
[6] Nagannand oraswamy, DanHarkins 著, IPSec 新一代因特网安全标准,机械工业出版社2000.
[7] 吴世忠,祝世雄,张文政著. 密码学协议、算法与C 源程序,机械工业出版社, 2001.
[8] W.Richard Stevens 著, 尤晋元等译. UNIX 环境高级编程. 北京机械工业出版社,2000.
[9] 谢希仁著. 计算机网络(第二版). 电子工业出版社, 1999,4.
[10] W.Richard Stevens 著, 施振川,周利民,孙宏晖等译. UNIX 网络编程(第一卷). 清华大学出版社, 1999.
[11] P.Srisuresh, M.holdrege, IP Network Address Translator (NAT) Terminology and Considerations, RFC 2663, August 1999
[12] G. Tsirtsis, P. Srisuresh, RFC2766:Network Address Translation -Protocol Translation (NAT-PT), February 2000
[13] Carlton R.Davis 著, 周永彬,冯登国,徐震,李德全等译. IPSec VPN 的安全实施. 清华大学出版社, 2002,1.
[14] S. Kent, R. Atkinson, Authentication Header, RFC2402, 1998.10
[15] S. Kent, R. Atkinson, Encapsulation Security Protocol, RFC2406, 1998.10
[16] D. McDonald, C.Metz, B. Phan, PF_KEY Key Management API, Version 2, RFC2367, 1998.7
[17] L.A. Sanchez, M.N. Condell, Security Policy System, Internet Draft, November 1998
[18] M. Stevens, W. Weiss, H. Mahon, B. Moore, J. Strassner, G. Waters, A. Westerinen, J. Wheeler, Policy Framework, Internet Draft September 1999
[19] M. Blaze, A. Keromytis, M. Richardson, L. Sanchez, IPSP Requirements Internet Draft July,